On 6/15/2012 9:10 PM, Gustavo Lacoste wrote:
Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I tried use the following filters, but this is no sufficient for my yet.
*/etc/fail2ban/filter.d/sendmail.conf*
[Definition] failregex = [<HOST>], reject.*... Relaying denied (User unknown)\n* [<HOST>] badlogin: .* [<HOST>] plaintext .* SASL reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi%5C?ip=<HOST> ignoreregex =
*/etc/fail2ban/filter.d/dovecot-pop3imap.conf * [Definition] failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
First, I switched to Postfix on my last CentOS 5 and all CentOS 6 installs. These rules are from v5 boxes, but are pretty old now. My strongest rules were on CentOS 4 systems, which have been retired, trashed or recycled. Make sure they match up to your logging.
Dovecot Auth Failures:
failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
Spamhaus Failures:
failregex = sendmail.*?(?:ruleset=check_relay).* relay=<HOST> .* ?reject=550 5.7.1 Email rejected due to Unsolicited Bulk Email [xbl] policies see: http://spamhaus%5C.org/
Plug in what you want for xbl. This catches almost all of our blocks. I cannot use pbl therefor zen due to outbound from pbl listed networks. Or at least that is how I understand it. I never tried.
These systems were never what I would call production servers and apparently there was never a need to catch the user unknown errors. Unfortunately, my rules for that are gone now for Sendmail. Also, I'm not good at regexs. Pretty much I started with the exact log containing the failure and worked back from there to what I have.
I have noted that Fail2Ban maintainers seem to be supporting Postfix. I think I've been grabbing it from epel or maybe dag. Most of the rules work out of the box. But I'd never suggest that Postfix is better than Sendmail, nor would I suggest you choose one over the other.